Sonatype Vulnerability com.liferay.portal.impl@42.0.0?type=jarSonatype Vulnerability com.liferay.portal.impl@42.0.0?type=jarhttps://liferay.dev/en/c/message_boards/find_thread?p_l_id=119785333&threadId=1215141482024-03-29T10:40:07Z2024-03-29T10:40:07ZSonatype Vulnerability com.liferay.portal.impl@42.0.0?type=jarKevin Matthewshttps://liferay.dev/en/c/message_boards/find_message?p_l_id=119785333&messageId=1215141472022-09-14T14:01:32Z2022-09-13T14:15:18Z<p>Hello,</p>
<p>Have liferay done Sonatype scanning on the latest build GA40 releases
as we ran a sonatype scan for the following vulnerability on component</p>
<table>
<tbody>
<tr>
<td>com.liferay.portal.impl@42.0.0?type=jar. <strong>Will liferay
be providing an upgrade path for this vulenerability?</strong></td></tr></tbody></table>
<p>Below are Sonatype Scan assesment:</p>
<p>
<strong>Recommended Version(s): </strong>No recommended versions are
available for the current component.<br />
<strong>Explanation: </strong>Liferay Portal contains a Cross-site
Scripting (XSS) vulnerability. The `getCurrentCompleteURL` and
`getCurrentURL` methods in `PortalImpl.class` do not properly escape
the URL string. An attacker can exploit this by including malicious
HTML code in the URL string that would then be parsed and executed.<br />
<strong>Detection: </strong>The application is vulnerable by using
this component.<br />
<strong>Recommendation: </strong>There is no non vulnerable version of
this component/package. We recommend investigating alternative
components or a potential mitigating control.<br />
<strong>Threat Vectors: </strong>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</p>
<p> </p>
<p>Thanks,</p>
<p>Kevin&